CVE Alert: CVE-2025-10445 – Campcodes – Computer Sales and Inventory System

Risk verdict

High risk: remote SQL injection with a publicly available exploit; urgent patching required.

Why this matters

Exploitation can disclose or corrupt inventory and customer data, potentially causing financial impact and operational disruption. The public availability of the exploit increases the chance of opportunistic, automated attacks against exposed deployments.

Most likely attack path

An attacker targets /pages/us_transac.php?action=add by injecting the Username parameter. No authentication or user interaction is required and the vulnerability is network-accessible, enabling arbitrary SQL execution. Successful exploitation can lead to data leakage, integrity loss, or availability impact of the inventory system.

Who is most exposed

Web-facing installations of Campcodes Computer Sales and Inventory System v1.0 are most at risk, especially small businesses running Internet-exposed web apps with weak or overly broad database permissions.

Detection ideas

• Web/app logs show anomalous or erroring SQL queries from the affected endpoint.
• Unusual or elevated data returned from the database after requests to us_transac.php?action=add.
• Long-running queries or time-based delays linked to specific inputs.
• Data anomalies in inventory, pricing, or order records following endpoint access.
• Repeated patterns of suspicious payloads in the Username field.

Mitigation and prioritisation

• Apply vendor patch or upgrade to a secured version; if unavailable, apply compensating controls.
• Implement parameterised queries/prepared statements and strict input validation for Username.
• Enable WAF/IDS rules targeting SQL injection on the affected endpoint.
• Restrict the web app’s DB account to least privilege and separate duties.
• Schedule a targeted patch window and verify the fix with test requests to the endpoint.